By Hart Brown, CORP, CBCP, CEH, CLCS, LPQ,
Senior Vice President, Practice Leader, Organizational Resilience,
HUB International Limited
Data hacking comes in just about every flavor these days – even the human variety.
Social engineering fraud, or the psychological manipulation of people into performing actions or divulging confidential information, is the latest human-based fraud on the market.
Here’s How It Works:
Criminals research/gather the information about a business, a person or a key executive, they reach out to them, potentially even forming a relationship with them, and eventually execute their plan to hack a human – often through email.
What’s scary is just how good hackers have gotten at convincing people to hand over their most valuable data assets. In fact, the FBI estimates that social engineering scams have cost organizations more than $2.3 billion in losses over the last three years alone.1
How They Get You:
In one of the most common forms of social engineering fraud, Email Phishing, email accounts of C-suite executives are compromised and used to demand a wire transfer. Similarly, a Bogus Invoice, or a fraudulent email sent to a business’ accounts payable department contains what appears to be a legitimate invoice of an existing supplier.
Phone phishing, or “vishing,” employs automation to replicate a legitimate-sounding message that appears to come from a bank or other financial institution, directing the recipient to verify confidential information. Social engineering fraud can take the form of Dumpster diving and forensic recovery, where sensitive information is collected from discarded materials such as old computer equipment, printers and paper files. Tailgating is when criminals gain unauthorized access to company premises by following closely behind an employee entering a facility.
What You Should Do:
- Educate employees so they become vigilant in recognizing fraudulent behavior. Instruct them to be careful of what is posted to social media, especially job duties/descriptions, hierarchal information and out of office details. Teach them not to open spam or unsolicited email from unknown parties, or use the “Reply” option to respond to any financial emails and be aware of sudden changes in business practices. For example, if a current business contact suddenly asks to be contacted via their personal email address when all previous official correspondence has been on a company email, the request could be fraudulent.
- Establish policies and procedures requiring any verbal or emailed request for funds or information transfer to be confirmed in person or via phone. Consider two-factor authorization for high level IT and financial security functions and dual signatures on wire transfers greater than a certain threshold. Avoid free web-based email, establish a private company domain.
Criminal perpetrators are often a step ahead of even the best cybersecurity efforts. You should have a comprehensive cybersecurity plan to protect your senior officers, employees, and your company.
About The Author:
Hart S. Brown, Vice President of Organizational Resilience for HUB International’s Risk Services Division, has nearly 20 years experience in security, crisis management, emergency management and business continuity. A former Program Director for the US Department of State, Brown received an Award of Appreciation from President George W. Bush. He is a widely published security expert and frequent contributor to HUB’s Crisis Management Center blog.